[strongSwan] Site to Site VPN configuration using multiple traffic selectors

Sat Feb 20 09:54:15 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Heiner,

On 02/20/2016 03:17 AM, Chris Buechler wrote:
> On Fri, Feb 19, 2016 at 6:17 AM, Erne, Heiner <Heiner.Erne at belden.com> wrote:
>> Hello,
>>
>> I would like to ask how to configure with strongSwan a site to site
>> configuration with multiple traffic selectors in one IKE setup, e.g.
>>
>> Site1  ß--------------------------------------------------------à Site 2
>>
>> Traffic selector 1 (shall have one ESP tunnel with this traffic selector)
>>
>> 192.168.1.0/24                               <->
>> 172.16.1.0/24
>>
>> Traffic selector 2 (shall have another ESP tunnel with this traffic
>> selector)
>>
>> 192.168.3.0/24                               <->
>> 172.16.3.0/24
>>
> 
> They're specified as comma-separated values (for IKEv2) in leftsubnet
> and rightsubnet. So for that example, something like:
> leftsubnet=192.168.1.0/24,192.168.3.0/24
> rightsubnet=172.16.1.0/24,172.16.3.0/24
Please note, that this results in the following configured traffic flows:

192.168.1.0/24 <-> 172.16.1.0/24
192.168.1.0/24 <-> 172.16.3.0/24                                                                                                                               
192.168.3.0/24 <-> 172.16.1.0/24
192.168.3.0/24 <-> 172.16.3.0/24

Judging from your picture this may not necessarily be what you want.

Thomas
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyCmsAAoJEGK31ONirBTG8OUP+gN09DcfOOqkLnidFnH2vs6a
saBjwokGGCRS3ihcwPFdzbhFvj22TyuIORuC4DAZjHkJjlJJiMF4lPyDVwpucNB6
T7VClJt6g2Oivy1DbONKyceAS/1XRJM5kOnK9ig9vK5loJ/Ksruq5PqDRDhyYFSS
9kN3KDRiASXvTwvJdAURKQZSQmdKhsg3+uL94rN1+OrRwCCyBtOjpRtbTLO3hTXD
3/VhDvSZBrWe3SijBevEx0xagYeVd9C/DRpgKsuTwjnvL3ip4PZnYxXtRJDoAlPK
Cu3WcJYkGGIgri9604K0ou65eyZq62uANAfbjfYS1O2+gLhmoAdpeXHxsiX0M7f9
xcMnB+xCseZ7yr2QHDmLPIUlvKX5SYEvYmq5HBU1zRX1SpmPR43lyVw3cn3+r9mh
fUFInk+IZqQouyuC/KnNF0ml3FUOIMt8mBBtI31AodUO+2TFJvIFzje7vDjCm/nR
CgnNIALL5AlABxQO1xDF7wqaHJ18IyubbV/0IDNEqURsq2wTVd9r9WAWxXrwlNQy
9FI6S+n4G8YfszzqCPW0GYUMe+Zs6BaiDgROD2w4Fqywa52zdD0OlL7IR5n1DWHO
Lfk2I8s7EklMMMrC03bLh9ZSnBWnGOKL2ZG0H1cOQwtTc7flFlC0HQna84UL2GEY
YyUstf7yQ7j/Un6T1x6I
=BFJE
-----END PGP SIGNATURE-----